Support SPDX identifiers
joshfriend opened this issue · comments
I'd like to be able to only allowlist/blocklist specific licenses by their SPDX identifiers (e.g. Apache-2.0
), as opposed to the various forms that pop up in packages:
apache 2.0
apache software 2.0
apache license 2.0
apache software license 2.0
the idkapache software license 2.0
Full list of SPDX identifiers is at: https://spdx.org/licenses/
This project has a similar mapping of frequently used identifiers to their proper SPDX identifier:
https://github.com/NFJones/pipoe/blob/master/pipoe/licenses.py
Of course, this only gets you so far as some projects have ambiguous metadata that doesn't explicitly specify the license version (like dateutil
for example). Perhaps this could be part of the normal/cautious/paranoid checking levels where "normal" might map "apache" to any version, but "paranoid" would not match unless it included a version number.
I believe this would eliminate the need for #53 as well?
I did not know about SPDX identifiers, and this looks like a great idea!
I believe this would eliminate the need for #53 as well?
Indeed
This request seems even more valuable now that SPDX is the de-facto standard for licensing information.